24 October 2017

Verbal comments by Neil Schwartzman, Executive Director and Matthew Vernhout, Director-at-large of the Coalition Against Unsolicited Commercial Email to the Standing Committee on Industry, Science and Technology, Ottawa, October 24, 2017

Neil Schwartzman

With apologies to The Bard of Avon,

Friends, Parliamentarians, countrymen, lend me your ears;

I come to praise CASL, not to kill it.

The evil that critics of CASL do lives with them;

The good is imbued in its sections;

So let it be with CASL.

CASL’s noble adversaries may tell you the law is too ambitious, as If it was a grievous fault.

CASL enshrines the work of 2005's federal task force on spam, best practices found in our final report are now global industry standards. Best practices do nothing without holding bad players accountable.

CASL is a crowd-sourced law, taking input from hundreds, working tens of thousands of hours. The Messaging Anti-Abuse Working Group, MAAWG, is a one hundred eighty five member industry association of companies such as Apple, Facebook, Google, Amazon, and Bell Canada. MAAWG participated inthe CASL process and sent a letter to the Prime Minister urging passage of the law.

My name is Neil Schwartzman, I am the executive director of CAUCE, the coalition against unsolicited commercial email. I wrote the world’s first distributed spam filter, and 20 years later, here we are.

I am a management consultant; my clients include the world’s largest company and the world’s biggest sender of email, and I teach cyber investigation methods to international law enforcement.

Spam filtering costs recipients 20 billion dollars a year according to researchers at Microsoft and Google, and the fact is spam has become much worse of late, ransomware and phishing payloads are vicious.

Affiliate spam, 90% of the pouriel hitting our networks is a open sewer spraying 1 BILLION messages per hour at our families, friends and colleagues.

Unsolicited junk email, texts and phonecalls from Wal-Mart, DirecTV, and Fidelity are some of the affiliate spam sent by third parties earning commissions from the brand. CASL was purpose-built to remedy such activity.

Studies and data have proven CASL is protective shield to the spam coming into, and out of Canada.

Law enforcement can’t possibly investigate - nor do they know about - all spam attacks. CASL’s Private Right of Action, a right integral to America’s CANSPAM Act, has been suspended, lamentably preventing Canadian ISPs, businesses and organizations from seeking compensation for damages to their networks and users.

Declarations of CASL’s damaging effects are laughable. The OECD has projected Canada’s 2018 economic growth outlook to be the best of the G-7; Quebec enjoys their lowest unemployment rate in three decades.

Yes, legitimate companies bear costs to become compliant, just as when PIPEDA came into force.

Business must be vigilant - data breaches occur daily, business email compromise results in losses in the hundreds of millions. CASL defines the modern standards of data integrity and permission companies must maintain in the global economy. The EU’s updated GDRP privacy law comes into effect in 2018. Failing to maintain parity will put us at a severe economic disadvantage.

In two cases prosecuted by the CRTC, the marketing departments of Rogers and Kellogg's were found to bought spam email lists from third party firms.

Why are spammers afraid of CASL and trying to gut it of effectiveness? Because it is working. We will hear from my colleague Matt who is a 20-year marketing professional, who has data proving marketing has grown in volume and effectiveness under CASL.We keep hearing about chilling effects, yet, our economy is growing, marketing is more effective. Chilling? I’m feeling rather warm.

CASL is so frightening to spammers, that they lobby Canada’s law enforcement and legislators. American groups with direct business interests to shady, black-hat spamming groups will make presentations to this very body.

With this in mind, I exhort you to leave CASL intact. Adjust, yes, clarify, no doubt, but do not come here to kill CASL. Do Caesar proud.

Thank you.

Matthew Vernhout

Good Afternoon, to our distinguished Members of Parliament thank you for inviting us to speak with you today.

My name is Matthew Vernhout, I am here on behalf of the CAUCE. In my professional capacity I am the Director of Privacy and Industry Relations for email analytics firm 250ok, the Chair of the Email Experience Council’s Advocacy committee, and an active member of the global email marketing community. I participated in the drafting of America’s CAN-SPAM act and had the pleasure of speaking to this Committee in support of CASL in 2009.

I have published dozens of articles, been quoted in the press, spoken at numerous industry events, and consulted with some of North America’s top brands regarding CASL compliance.

In fact, one of the comparative benchmark reports I authored for ISED; was recently cited in the CRTC decision on the constitutional challenge by CompuFinder.

The positive effects of CASL on the email industry are remarkable.

I am delighted to say analysis finds the email industry thriving and experiencing significant growth. Businesses ensure they have recipient consent and they are seeing the positive benefits of those efforts.

A common trend has emerged from several reports published in the past three years: more messages are delivered to Canadian consumers inboxes post-CASL, due to better list management practices and increased consumer trust.

A recent industry report shows that two countries with the toughest anti-spam legislation, Canada and Australia, also have the best deliverability of commercial emails to inboxes in the G-8 countries studied.

The basic framework of CASL is a series of email marketing best practices that have been the basis of most of my consulting efforts over the past seventeen years:

•Ask permission first

•Honour opt-outs

•Be clear of who you are and why you are writing to your customer.

CASL has taken these ideas made them the law of the land.

As my colleague stated, CASL is working to diminish spam, moreover, it is working to make legitimate email marketing more successful, and more effective.

There is far too much baseless fear, uncertainty and doubt being spread by the naysayers of CASL, who are neither anti-abuse nor marketing professionals.

When I speak with marketers about their compliance efforts and the changes that they make to their digital marketing I often hear, “This is a lot of work, but isn’t nearly as difficult as I thought it would be.”

However, we still have a long road ahead of us. The Spam Reporting Centre receives 6,000 complaints per week, totalling more than one million complaints since 2014.

For example, the blacklist operators SURBL notes that there are currently 70 DOT C A domains spamming counterfeit goods scams to Canadians.

There are also active spam gangs set up on hosting providers in Montréal, Hamilton, and Vancouver.

Regarding the PRA suspension, this renders CASL toothless. I recommend the PRA be revisited to allow network operators who carry the cost of spam to avail themselves of redress.

In closing, it is our hope that the law remains a strong and viable tool to protect email marketing, networks, and consumers from unwanted spam messaging.

Canadians, like all consumers, deserve nothing less.

Update

TO: INDU@parl.gc.ca

October 28, 2017

To whom it may concern,

We are forwarding an electronic message from Deborah Evans of Rogers Media Inc.

The undertaking that RMI signed with the CRTC on November 26, 2015 reads, in part:

AND WHEREAS the CCEO has advised RMI that Commission Staff is of the view that express consent is required to send commercial electronic messages on behalf of unknown third parties. More specifically, Commission start is of the view that implied consent cannot be relied upon to send commercial electronic messages on behalf of unknown third parties, without obtaining prior specific express consent in accordance with the Act, Regulations and Regulations (CRTC);

Should anyone see daylight between our stated position and that of RMI, we would wish to correct the record. Ms. Evans’ email reads as follows:

14 May 2017

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.

Wait, what? WannaCry isn’t unprecedented! Why would any professional in the field think so? I’m talking about Code Red, and it happened in July, 2001.

Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I’ve personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.

Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.

Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday, was even made available by Microsoft for ‘unsupported’ platforms such as Windows XP), as was the case with Code Red.

One representative from a medical association said guilelessly, in one of the many articles I’ve read since Friday ‘we are very slow to update our computers’. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.

If someone gets arrested and charged, and by someone, I mean systems administrators, ‘CSOs’ and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.

Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn’t believe things could get this bad, but it wasn’t too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.

18 June 2016

Sanford Wallace has been sending spam for over 20 years. Despite losing innumerable lawsuits, he's managed to stay out of jail until now. His luck finally ran out, in a case where he was convicted of contempt of court and hacking many Facebook users.

20 November 2015

Today the Canadian Radio-television and Telecommunications Commission (CRTC) announced that Rogers Media, one of the largest mobile phone and cable companies in Canada, had agreed to pay $200,000 to resolve long running violations of Canada's Anti-Spam Law. For over a year, July 2014 to July 2015, Rogers sent e-mail with opt-out links that didn't work, or if they did work Rogers continued to send mail anyway. The details of the undertaking Rogers agreed to are here.

Rogers is a big sophisticated company, and there's no good reason they can't manage their mail to stop sending ads when people ask them to. This kind of spam is particularly hard to filter, since the same message might be sent to a Rogers customer who'd agreed to receive it, and to someone else who't told them to stop.

26 August 2015

My anti-spam community friends were all abuzz today with the news that Spamford Wallace had pleaded guilty in a Las Vegas court to "compromising approximately 500,000 Facebook accounts" in order to deliver "more than 27 million spam messages."

What might amaze the General Reader is that this is the SAME Spamford Wallace case that began with an indictment on July 6, 2011.

According to the Indictment, Wallace created an account on November 4, 2008 under the name "David Frederix" and then tested posting spam messages to his 'real' wall "Sanford MasterWeb Wallace" experimenting with which posts would best evade Facebook's filters.

He then made a script that would automate the process of logging in to a Facebook account, obtaining a list of all of the Friends of that account, and then posting his advertising message to each of those friends' walls. Spamford then created a domain registrar account at Moniker Online and another at Dynadot (using the name Laura Frederix) and between the two created 2,500 domain names that would be used in these spamming attacks against Facebook users.

On November 5 and 6, 2008, Sanford sent approximately 125,000 spam messages to Facebook users using this method. On December 28, 2008, another run was made, posting nearly 300,000 spam messages, by logging in through 143 different IP addresses that were used as proxies to disguise his origins. On February 17, 2009, another 125,000 messages were posted.

At this point, a civil injunction was served on Sanford Wallace in the case of Facebook Inc v. Sanford Wallace (Northern District of California No 09-00798 JF) where Judge Jeremy Fogel ordered Sanford Wallace to no longer access Facebook's computer network. (Orders issued on March 2, 2009 and March 24, 2009). Sanford logged in on April 17, 2009, in violation of this order, while flying on a Virgin Airlines flight from Las Vegas to New York.

In 2011, Sanford was back on Facebook, using a profile called "David Sinful-Saturdays Fredericks"

Counts 1,3, 7 - Fraud and Related Activity in Connection with Electronic Mail, carry a possibility of 3 years imprisonment.

2, 6, and 9 - Intentional Damage to a Protected Computer, carries a maximum sentence of 10 years imprisonment.

4, 5 and 8 - Fraud and Related Activity in Connection with Electronic Mail, carries a 3 year imprisonment possibility, and a possible $250,000 fine.

What's Happened Since?

Lots and lots of lawyering. . . behold the process of a Fair and Speedy Trial!!!!

04AUG2011 - the indictment was unsealed

04AUG2011 - notice of related cases was received. These included:

the case of Facebook v. Sanford Wallace, Adam Arzoomanian, Scott Shaw, and John Does 1 through 25, for Violation of the CAN-SPAM ACT, violation of the Computer Fraud and Abuse Act, Violation of the California Business Code Section 229489 AKA the California Anti-Phishing Act, and Violation of California Penal Code section 502, the California Comprehensive Data Access and Fraud Act. That case describes: "At least one of the Defendants, Sanford (aka "Spamford") Wallace, is a notorious Internet scam artist who has been involved in various illegal spamming and malware activities since the mid 90s. Indeed, Mr. Wallace has both Federal Trade Commission and civil judgements against him for these activities that total in excell of $235 million." Myspace, Inc. v. Wallace; FTC v. Seismic Entertainment Prod., Inc; CompuServe v. CyberPromotions, Inc (Ohio, 1997)

This case resulted in a Default Judgement in favor of Facebook signed by Judge Jeremy Fogel on 29OCT2009.

22AUG2011 - bail hearing

28SEP2011 - case reassigned to a new Judge (Judge D. Lowell Jensen)

30SEP2011 - Order to Waive Appearance proposed )amd gramted_

03OCT2011 - Status hearing held

04OCT2011 - case reassigned to Judge Edward J. Davila

31OCT2011 - Pretrial services form 8 submitted.

28NOV2011 - Status hearing held

09JAN2012 - "Fair and Speedy Trial Act" exemption requested due to AUSA Attorney being engaged in another trial, and for additional time for the defendant's need for effective preparation of counsel. "The ends of justice served by granting the requested continuance outweight the best interest of the public and the defendant in a speedy trial." - extension granted until 09APR2012.

02APR2012 - extended to 07MAY2012 by mutual consent.

and again to 06AUG2012, and again to 01OCT2012, and again to 19NOV2012

Status hearings held 14JAN2013, 11MAR2013

11MAR2013 - hearing grants a modification to pretrial release conditions to allow Spamford to travel to Albuquerque, New Mexico for work.

More delays 31MAY2013, 08AUG2013, 20SEP2013, in each case ordering that time be "excluded" from consideration in the Fair and Speedy Trial Act to allow for effective preparation for the case.

Continued to 31MAR2014, when Wallace assigns his new counsel, William W. Burns, Esquire.

25JUN2014 new counsel asks for more time to prepare

18JUL2014 William Burns petitions the court to withdraw as counsel

21JUL2014 Burns Relieved

21JUL2014 a Financial affidavit is delivered to the court pertaining to Spamford Wallace

01AUG2014 - "The individual named above as defendant, having testified under oaht or having otherwise satisfied this court that he or she (1) is financially unable to employ counsel and (2) does not wish to waive counsel, and because the interests of justice so require, the Court finds that the defendant is indigent, therefore, IT IS ORDERED that the attorney whose name, address and telephone number are listed below is appointed to represent the above defendant." (Wm. Michael Whelan, Jr. / 95 South Market St, Ste 300 / San Jose, CA 95113 / (650) 319-5554 cell)

22. The factual allegations contained in Paragraphs One through Eleven above are realleged and incorporated herein as if set forth in full.

23. On or about December 28, 2008, in the Northern of California and elsewhere, the defendant, SANFORD WALLACE, knowingly accessed a protected computer without authorization, and intentionally initiated the transmission of multiple commercial electronic mail messages from or through such computer, in and affecting interstate and foreign commerce, to wit: the defendant accessed Facebook's computer network in order to initate the transmission of program that resulted in nearly 300,000 spam messages being sent to Facebook users.

What were 1 through 11? The only really important paragraph is number 5:

5. From approximately November 2008 through March 2009, WALLACE developed and executed a scheme to send spam messages to Facebook users that compromised approximately 500,000 legitimate Facebook accounts, and resulted in over 27 million spam messages being sent through Facebook's servers.)

10 June 2015

CAUCE is proud to announce the publication of the new Operation Safety-Net. This document is intended for business and government leaders (but interesting to anyone), and contains 60 pages of clear and readable advice. It addresses best practices for online, mobile, and telephony threats.

CAUCE executive director Neil Schwartzman led the effort as part of the steering committee with peers from M3AAWG and Industry Canada. President John Levine provided technical content on DNS and IP address threats.

31 May 2015

The six defendants charged today are alleged to have profited from the unlawful billing of consumers for unsolicited services. Hundreds of thousands of customers collectively lost tens of millions of dollars in this far-reaching scheme ...

24 May 2015

Court fines "Rachel from card services" $1.7 million

For years "Rachel" has been robocalling to tout fake credit relief scams, making her one of the least popular people in America. The FTC has been working on this case for years, and now has an injunction and a fine to stop at least some of the people behind her.

10 May 2015

FTC acts against fake weight loss affiliate spammer

The Federal Trade Commission has obtained a court order temporarily halting a Glendale, California, operation that allegedly used millions of illegal spam emails, along with false weight-loss claims and fake, unauthorized endorsements from celebrities like Oprah Winfrey, to market its unproven diet pills.

The court order halts the defendants’ illegal conduct, freezes their assets, and appoints a temporary receiver over the corporate defendants. The Commission ultimately is seeking to recover money from the defendants that would be used to provide refunds to consumers who bought the defendants’ diet pills.